5 Must-Read Reports for IT Security Leaders in Financial Services

Post Meta

In 2016, most attacks against financial services firms were unknowingly facilitated by “inadvertent actors,” reports IBM. That is, by insiders without malicious intent, such as employees or contractors, who simply clicked a bad link or downloaded the wrong attachment.

A November 2016 survey by Palo Alto, CA-based MetricSream, found that 66.2 percent of financial organizations faced at least one cybersecurity attack over the preceding year. In 33 percent of data breach attempts against financial services firms, the attackers succeeded, according to Accenture [PDF], based on its own findings.

CIOs and CISOs in the financial services sector face mounting challenges. Cybersecurity talent shortage, outdated toolsets and new regulations make it difficult to ensure regulatory compliance and minimize risk across their organizations.

While the industry may have reversed the overall trend of year-over-year data breaches, as the ITRC Data Breach Report for 2016 [PDF] and the 2017 IBM X-Force Threat Intelligence Index (more below) indicate, this achievement has come at a price.

Often, the goal was accomplished through exceedingly restrictive web use policies to mitigate the inherent security weakness of the local web browser. Its interdependency with the local operating system and its resources allows for the execution of arbitrary code that can compromise the endpoint and the organization’s IT infrastructure

Many financial organizations have locked down their IT infrastructure to reduce the attack surface for web-borne threats - at the risk of impeding productivity. But a simple page view request can still lead to major system exploits, data egress and significant financial damages.

There’s a way to protect the “inadvertent actors” from themselves. It’s called browser isolation - the local attack surface is removed by deploying the browser remotely, in a secure container in the cloud.

This way, all web code can be rendered in an isolated environment, and an interactive display of the web page gets delivered to the endpoint over an alternate, non-HTTP protocol. In a truly isolated browser environment, no web code ever reaches the local network or the end point - only benign, secure pixels.

Gartner analysts have described remote browsing as “one of the most significant ways an enterprise can reduce the ability of web-based attacks on users to cause damage.”

DDoS, Web Apps Top IT Security Risks in Banking

Distributed Denial-of-Service (DDoS) and web app attacks were the bane of IT security in the banking industry in 2016, according to the Verizon 2017 Data Breach Investigations Report, which presents an analysis of almost 2,000 data breaches across several industries. The report leverages the collective data from 65 organizations around the globe.

With 24 percent of data breaches - most of which through web app attacks - financial services rank first among the top three industries with data breaches examined by Verizon in 2017, followed by healthcare (15 percent) and the public sector (12 percent).

The researchers also report a 50 percent increase in ransomware attacks, compared to 2015. In 43 percent of data breaches, the attackers used phishing as the main method in financially motivated attacks.

The report warns that “pretexting” is another tactic on the rise. Cyber criminals use pretexting to initiate a dialogue by approaching an employee (via email) with an invented scenario, to elicit information or gain unauthorized access. They predominantly target employees in financial departments with this method, who hold the keys to money transfers.

Our take:

In its 10th year now, Verizon’s DBIR is considered one of the most comprehensive resources on the state of IT security and data breaches. In the financial services sector, web app exploits accounted for only 31 percent of data breaches analyzed back in 2014. In 2016, they made up 76 percent of investigated attacks.

This rise reflects how criminals have shifted their focus to the weakest link in the IT security perimeter fence: the local browser. Due to the inherent security weakness of the web’s architecture, regular browsers have become the main gateway for attacks on the IT infrastructure in the financial services field.

This number may not exactly come as a surprise, following the recent wave of major data breaches, with millions of login credentials stolen. We think the growing web app risk and the password issue are closely related. For more on the topic and to decide for yourself, check out this post by Authentic8 co-founder and CEO Scott Petry.

Old Trojan Horses, New Blindspots Plague Banking Industry

SecurityScorecard is recognized as one of the leading resources for accurate and comprehensive cybersecurity rating and continuous risk monitoring in the industry. For its 2016 Financial Industry Cybersecurity Report, the security platform provider analyzed 7,111 financial institutions.

A large number of the investment banks, asset management firms and major commercial banks around the world that were included in the study showed significant vulnerabilities. Three results stand out:

Only one of the top 10 largest banks received an overall 'A' grade.

95 percent of the top 20 U.S. commercial banks (by revenue) received a network security grade of 'C' or below.

75 percent of these were infected with malware, including the Ponyloader exploit kit and Vertexnet, malicious software that manages to evade antivirus tools and features a keylogger component for stealing login credentials.

The company also found that third party vendors and partners that provide essential services to the financial services industry pose some of the greatest security risks.

Our take:

Growth through acquisition is the name of the game in the financial services field as of late. This trend goes hand in hand with increasing reliance on third-party vendors and external service providers. The adoption of web-based apps and services that support internal processes also adds to the mounting challenges of identifying cyber risk factors introduced by (new) outside business associates.

For financial services CIOs and CISOs who are looking for recent data and new insights on IT vendor risk management (or the lack thereof), we recommend the whitepaper review post 5 Vendor Risk Reports Every IT Leader Should Read as a starting point.

Cybersecurity in the Financial Services Industry

The majority of respondents to MetricStream’s survey The State of Cybersecurity in the Financial Services Industry reported at least one cyber attack.

Surveyed were 60 financial enterprises around the globe and across all industry sectors, including banking, insurance, asset management, diversified financials, investment services, and foreign exchange services.

Almost half of the surveyed financial firms reported employees to be the primary conduit through which an online attack was launched.

Our take:

While mobile banking, online banking, web apps and cloud services provide more routes for cybercriminals to breach a financial firm’s IT defenses, one constant remains: people make mistakes, which can expose the local network to attacks from the web.

Intensified training and cybersecurity awareness campaigns, as important as they are, have not prevented employees from clicking on phishing links or reusing passwords. The combination of user gullibility and negligence on one side and the inherent vulnerability of the web and web-based apps on the other is spelling more trouble going forward.

IT Security and Risk in Financial Firms

Ransomware and spear-phishing attacks are the current banes of the financial services industry, according to the 2016 Survey on Security and Risk in the Financial Sector published by SANS, the largest provider of cybersecurity training and certification to professionals at governments and commercial institutions worldwide.

Ransomware, identified by 55 percent of respondents, eclipsed spearphishing (50 percent) as the top attack vector for the first time. The attacks reported in this survey caused considerable damage, with 32 percent of survey respondents citing losses between $100,001 and $500,000 as a result of data breaches.

Our take:

Ransomware-as-a-service schemes, which handle the malware distribution for a cut of the profits, took off in 2016. Financial firms had topped the target list before ransomware campaigns were automated, so it doesn’t come as a surprise that they now bear the brunt of more sophisticated campaigns.

In many cases, unsuspecting users who clicked on bad links unintentionally facilitated those attacks on their organization's assets. The survey stresses that most organizations are already focusing on controls such as email monitoring and security awareness training to reduce the potential for “risky” employee behavior.

The apparent lack of results underlines that blaming the victims of ransomware attacks and reactive awareness activism will not reverse the ransomware trend as long as employees remain exposed to complex web-borne threats at the endpoint.

Financial Services Remain #1 Target

In the 2017 IBM X-Force Threat Intelligence Index, the company reports that the total number of records compromised in data breaches grew a historic 566 percent in 2016 across all industries, from 600 million to more than 4 billion.

The bad news first: On average, financial firms and institutions experienced 65 percent more cyber attacks than organizations in other industries.

And now the good news: While the financial services sector was the most-targeted in 2016, the report’s data also show that it ranked only third in compromised records. The authors of the X-Force report credit financial firms’ continued investment in sustained security practices.

In their related publication Security Trends in the Financial Services Sector, the researchers report more attacks by insiders (58 percent) than by outsiders (42 percent) in 2016. The “insider” category, it should be noted, included many more “inadvertent actors” (53 percent) than malicious insiders (5 percent).

These IBM reports comprise observations from more than 8,000 monitored security clients of the company in 100 countries and data derived from non-customer assets in 2016.

Our Take:

Compared to other industries, the financial services sector experienced the highest level of threats from those the IBM researchers label “inadvertent actors” - employees or contractors who unknowingly downloaded malicious attachments, got “clickjacked” or fell for a phishing scheme.

The web provides ample opportunity to encounter such traps - the IBM team alone monitors more than eight million spam and phishing attacks daily, while analyzing more than 37 billion web pages and images, according to the X-Force Threat Intelligence Index.

These big numbers serve as a stark reminder why the web’s growth has created a - widening - security gap in organizations that rely on a Secure Web Gateway (SWG) and URL categorization / web filtering to maintain security when employees access the web. Web filtering has fallen way behind, uncategorized URLs pose a growing risk.